RSA Europe 2013: The state of security with conference chair Hugh Thompson

It’s the question you guys get asked every year before RSA Europe because it’s always an intriguing one: What do you expect to be the biggest security subjects and talking points at this year’s show?

There are 3 main hot topics at this year's RSA Conference Europe.

First is mobility - this year it's gotten much more specific. In the sessions this year attendees can expect to find very specific solutions, implementations around BYOD and discussions on real mobile malware. There is definitely a maturity on that topic over last year.

The second is analytics which spans a few areas. One is threat analytics; using big data to anticipate threats or attacks against an organisation. The other is collaboration across multiple entities for threat intelligence. We’ve also seen a lot of interest in the area of forensics to discover and analyse targeted attacks. The implementation of big data of analytics is big this year and you’ll see it peppered throughout the keynotes and regular sessions.

The third trend or hot topic this year in terms of interest building towards the Conference is around privacy. Not just data privacy but also data sovereignty. If I am processing data inside my company inside a particular country, who has access to that data and is it protected and contained? There is likely to be a healthy amount of discussion around it at this year's conference especially given the more recent press on Edward Snowden. People are asking questions about the technology supply chain in a different way. It used to be that the supply chain was all about: 'could you be hacked by an attacker going after your supply chain?' This year there are a lot of questions around: 'does any of my supply chain sit in a country where the data could be used, viewed, analysed by a foreign entity'

Which keynotes or sessions are you most looking forward to? Why?

I am definitely looking forward to Lord Sebastian Coe's keynote on the last day of the Conference. The scope and scale of the 2012 London Olympics, how do you provide security and what actually happens in terms of risk? On that topic, I am also pretty excited to hear from Mark Hughes on what happened behind the scenes from a threat perspective during the Olympics. I think there will be lessons to learn that are translatable in to other areas.

I am also looking forward to hearing what Art Coviello opening keynote at the conference; he’s very good at capturing the pulse of the conference. A lot has happened in the information security community between RSA Conference US and RSA Conference Europe so there will be a lot of attention focused on that talk.

Outside of the keynotes, I couldn't pick just a couple of sessions because I think this is the best line-up of speakers we’ve ever had, There will be a lot of talks about actual practical analytics and you can find them in almost every track which is very exciting. I am very interested to see what people have actually done when it comes to measuring systems, measuring data so if you try to find me during the week that's where I am going to be.

Events like RSA are great for discussion, but what benefits can actually be taken away from a conference like this?

There has never been a more important time for the security community to get together. It's not just to swap stories and collaborate. I think that It's really an amazing time for people to truly understand what's going on in different disciplines of security. When you think about where you can get that type of information, there are practically very few sources. There are lots of different publications and different blogs online but you don't really get an interactive forum where you can truly learn from peers and find out what worked for them and what didn't. Right now more than any time in the past we quickly need to figure out what works and what doesn't especially in the face of these highly targeted, very sophisticated attacks, combined with the rise of hacktivism and the growing sophistication of cybercrime.

What are the biggest changes you've seen during your time in IT security?

I guess the biggest change is that what was considered conventional wisdom 10 years ago now isn't. Most of it is probably considered bad advice now. Think about how many other industries that you could be in that have had the amount of challenges and change in the last 10 years as we have in infosec. Just to give you a sense, 10 years ago the biggest thing we had to worry about was mass market malware - things like Melissa, Code Red. Those viruses and worms were problems because it took a long time for people to patch and they exploited previously known vulnerabilities in unpatched systems.

That was really what kept most of us up all night back then. You look at those threats under the lens of today's security technologies and they are pretty straightforward to address. The threats that we are most worried about today come from incredibly well funded adversaries who are willing to spend a lot of time and energy to go after just one specific target. Combine this with the challenges posed by hacktivism, maturing cybercrime organisations and attacks against embedded and mobile devices and the result is a field that is constantly redefining itself.

Do you feel companies are on top of the security challenges posed by increased mobility and trends like BYOD?

Many companies are actively investigating it and I'd say most companies are still long-term undecided about what to do around BYOD. People take a wide range of positions on it, from containerisation, to mobile devise management, to network security techniques. One thing for sure is that we are past the point of being able to ignore it or effectively set policies to stop it. I just don't think that's a tenable, long term solution.

Do you expect companies at RSA to be concerned with the growing level of nation-state 'cyber-wars' on critical infrastructure? Or are they just concerned about their own businesses and data?

I think companies are concerned about nation-state attacks on critical infrastructure because attacks on those systems will have a material impact on their business. Most companies can't operate without power or a telco company on the back end, these critical infrastructure problems are everybody's problem. People will be very interested to hear what is happening in that space, how attackers are going after those types of entities and really what can we do as a community to come together and help. Maybe that's education, better collaboration; this is a big open question for this conference.

In the perennial struggle between ‘hackers’ and security specialists, is it inevitable the latter will always be one step behind?

I don't think it's inevitable, I think in companies you often see defenders one step behind but that's normally because defenders find it difficult to justify the budget for the security technologies they need to have to be one step ahead from where the attackers are. I don't think we should be in a fatalist industry.I think we can set up architectures that allow us to really be flexible and agile when it comes to security. It doesn't mean that you are going to stay ahead of every threat - it means if you prepare, you will be able to quickly respond and recover when a threat enters the environment. I think if we plan for agility and plan for these smaller failures that we would be in a lot better shape

Hugh Thompson (pictured) is RSA Conference Program Chair. This year's RSA Europe takes place from 29-31 October at the Amsterdam RAI, The Netherlands. For more information visit: